Iterative MITM Packet Sniffer

So, I got into a discussion with a friend of mine in my Computer Security class at UCF about this script. I'm posting this for historical and educational purposes only. As always, I never condone the implementation of any of my content for malicious intent. Moreover, this script has flaws that * would make it useless in such a scenario. Don't do it!

Here's a script I hacked up last semester when I was playing with MITM attacks and packet eavesdropping with ettercap:. This scripts will automatically:

MITM attacks are executed 1 victim at a time to prevent all traffic on the subnet from going through the machine running this script. Trying to ARP poison an entire subnet with active users will almost certainly stop all traffic flow for everyone.

For the same reason as above, the Gateway: is removed from the hosts list.

Because the MAC Address changes before every cycle around the subnet's hosts, the DHCP server issues a new IP Address lease to the attacker's computer.

Because the MAC and IP Addresses are dynamic, it becomes difficult for the attacker himself to _find_ the server on the network (I'm assuming the server is headless here). To solve this, I set ssh to a non-standard port, and did an nmap across the entire subnet for it.

Because DHCP server is re-issuing a new IP Address lease every n*5 minutes (where n is the number of hosts on the subnet excluding the attacker and the gateway), it will likely "run out" of leases, preventing any new computers on the network from obtaining an IP Address

Assuming the attacker is using a static, physical network connection, this attack is easily traceable.* Even though the MAC Address is spoofed, the constant DHCP requests coming from the attacker can be linked to a single, physical port on a switch. Assuming a good NIDS is installed (or perhaps an IT drone is keeping a watchful eye on network anomalies), it will be blatantly obvious to the Network Administrator of the victim subnet where the attack is physically originating.

Assuming the attacker is using a wireless network connection to an AP that allows anonymous connections without requiring users to register their MAC Address to a pre-existing user account, it would be significantly more difficult for the Network Administrator to determine where the attack is physically originating.

The best defense for this type of attack is for the Network Administrator to install a network anomalies amongst non-server systems and actively disable their connections. For example, a NIPS could realize that exactly every x minutes, a client on a specific port is submitting DHCP requests under supposedly unique MAC Addresses. After 3 successive equally-spaced DHCP requests, the NIPS could disable the suspected port, and alert the Network Administrator via email for further investigation.